Data Processing Addendum

Insofar as BoogieBoard LLC (“Data Processor”) processes Personal Data (defined herein) on Customer’s behalf (“Data Controller”) in the course of performing BoogieBoard’s Licensing Agreement and Terms of Use (the “Agreement”), the terms of this Data Processing Addendum (“Addendum”) shall apply. Any capitalized terms not otherwise defined in this Addendum shall have the meaning given to them in the Agreement. In the event of a conflict between any provisions of the Agreement and this Addendum, the provisions of this Addendum shall govern and control with regard to the processing of Personal Data. References to “Data Protection Laws”shall mean any law applicable to Data Processor’s processing or use of Personal Data, including (to the extent applicable), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), and The California Consumer Privacy Act of 2018, AB375, Title 1.81.5, including any implementing law, as amended (“CCPA”), as amended from time to time. For purposes of this Addendum, “Personal Data” shall mean any data, information or record that is processed in connection with the Services (i) relating to an identified or identifiable natural person, or (ii) that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained. “Data Subject” shall mean any natural person whose Personal Data are transferred by the Data Controller to the Data Processor or from either Party to a subprocessor.

1. Processing

1.1 Responsibilities of the Data Controller

The Data Controller represents and warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the processing to be performed in connection with the Services. To the extent required by Data Protection Laws, the Data Controller is responsible for providing all necessary privacy notices to data subjects, and, unless another legal basis set forth in the Data Protection Laws supports the lawfulness of the processing, for obtaining any necessary consents from Data Subject to authorize the processing required under the Agreement. Should such a consent be revoked by a Data Subject, the Data Controller will inform the Data Processor of such revocation, and the Data Processor is responsible for implementing Data Controller’s instruction with respect to the processing of such Personal Data. Data Controller is also responsible for fulfilling requests from Data Subjects regarding their Personal Information, with reasonable assistance from the Data Processor.

1.2 Responsibilities of the Data Processor

Data Processor will only process, store, and use the Personal Data it receives from the Data Controller as necessary to provide the Services, to fulfill its rights and obligations in the Agreement and Addendum, and pursuant to Data Controller’s prior written instructions. The Data Processor shall never retain, use, disclose, sell, or process the Personal Data other than as specified in the Data Controller’s documented instructions or as otherwise permitted by law.

The Data Processor further undertakes (i) to implement appropriate security measures in order to preserve the confidentiality and the integrity of the Personal Data; (ii) to give access to the Personal Data only to its employees, agents, and the subprocessors duly authorized as a result of their position and qualification and in accordance with Article 6 herein (“Subprocessors”) and to limit such access to what is necessary for the Services; (iii) to inform the Data Controller of all requests addressed directly by a Data Subject with regard to its right of access, communication, rectification and/or opposition or any other right related to its Personal Data and shall not answer to such request without the written prior consent of the Data Controller; (iv) to cooperate with the Data Controller and/or the competent authorities in the event of a control, inspection or audit required by the said authorities; (v) to inform and cooperate promptly with the Data Controller (a) if it believes that it may no longer be able, or no longer is able, to comply with this Addendum, particularly in case it receives or must reasonably expect to receive a request or order of a competent authority requiring it to disclose, or refrain from further processing, some or all Personal Data to which this Agreement applies; or (b) if any accidental or unauthorized access has occurred.

At any time upon written request of the Data Controller, the Data Processor shall return to the Data Controller the Personal Data or delete all or part of the Personal Data in the possession of the Data Processor and all copies and shall confirm it to the Data Controller upon written request.

2. Confidentiality

The Data Processor shall treat all Personal Data as Confidential Information under the Agreement, and it shall inform all its employees, agents and approved subprocessors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties given access to Personal Data have signed confidentiality agreements with obligations no less restrictive in the use and protection of Confidential Information than those in the Agreement and this Addendum.

3. Security Measures

Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. The Data Processor shall maintain and follow written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies will include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the processing. b) At the written request of the Data Controller, the Data Processor shall reasonably demonstrate the measures it has taken pursuant to this Article 3 and shall allow the Data Controller to audit such measures, to the extent it does not require providing access to other customers’ data. Subject to such restriction, the Data Processor shall reasonably cooperate with such audits carried out by or on behalf of the Data Controller, shall grant the Data Controller ́s auditors reasonable access to any premises and devices involved with the processing of the Personal Data, and shall provide the Data Controller ́s auditors with access to any information relating to the processing of the Personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor ́s compliance with this Addendum.

4. Data Transfers

To the extent Data Controller transfers any Personal Data from (a) the European Economic Area, or (b) a jurisdiction where a European Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC is in force and covers such transfer, then the parties agree that such Personal Data is subject to the model contractual clauses annexed to EU Commission Implementing Decision (EU) 2021/915 (the “Clauses”), which are located at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915 and hereby incorporated into the Agreement. In such cases, Data Controller is the ‘data exporter’ and Data Processor is the ‘data importer’ as defined in the Clauses. To the extent that Data Controller transfers any Personal Data from the United Kingdom, the parties agree to use either the UK international data transfer agreement (IDTA) or the UK Addendum in addition to the Clauses, which are located here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/#:~:text=The IDTA and Addendum form,2021 to 11 October 2021

5. Security Breach

The Data Processor will notify the Data Controller without undue delay upon discovery of any suspected or actual security or confidentiality breach or other compromise of Personal Data, describing the breach in reasonable detail, the status of any investigation or mitigation taken by the Data Processor, and, if applicable, the potential number of data subjects affected. Data Processor will not communicate with any third party regarding any security breach except as specified by other party or by applicable law.

6. Subprocessors

The Data Processor may subcontract any of its Services-related activities or allow any Personal Data to be processed by a third party with Data Controller’s prior consent. With respect to subprocessors, Data Processor shall (i) take reasonable steps to ensure that the subprocessor is committed by written contract to provide the level of protection for Personal Data required by the Agreement, this Addendum, and Data Protection Laws; (ii) identify all subprocessors used to Process Personal Data upon Data Controller’s reasonable request; and (iii) provide Data Controller with prior notice and the opportunity to object within a reasonable time to any changes to such subprocessors. Where the subprocessor fails to fulfil its data protection obligations under such written agreement, the Data Processor shall remain fully liable to the Data Controller for the performance of the subprocessors’ obligations under such contract. The Data Processor’s current list of subprocessors can be found at Addendum B, and shall be deemed accepted by Data Controller upon signature of the Agreement.

7. Data Subject Rights

The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Laws.

Subprocessors

What is a Subprocessor?

In order to provide our Services, BoogieBoard engages the Subprocessors listed in the tables below. A Subprocessor is a third-party engaged by BoogieBoard LLC, and its applicable Affiliates, to process Customer Personal Data. Capitalized terms used herein are defined in BoogieBoard’s Data Processing Addendum.

List of Subprocessors